Amazon DynamoDB | Encryption at rest Flashcards
Can I use On-Demand Backup to back up my DynamoDB tables and restore these to another AWS account?
Encryption at rest
Amazon DynamoDB | Database
No. Currently, you can use On-Demand Backup to back up a table and restore it to the same region within the same AWS account where the backup was taken.
What is DynamoDB encryption at rest?
Encryption at rest
Amazon DynamoDB | Database
DynamoDB encryption at rest provides you with the ability to enable encryption for the data persisted (data at rest) in your DynamoDB tables. This includes - base table, local secondary indexes, and global secondary indexes. Encryption at rest automatically integrates with AWS Key Management Service (KMS) for managing the keys used for encrypting your tables.
Why do I need to use encryption at rest?
Encryption at rest
Amazon DynamoDB | Database
Encryption at rest is a managed server side encryption feature using AWS KMS keys stored in your AWS account. You do not have to implement and maintain additional code to encrypt data before it is sent to DynamoDB and decrypt data after it is retrieved. Once encryption at rest is enabled for a DynamoDB table, your application will work seamlessly without any other changes.
How do I encrypt a table?
Encryption at rest
Amazon DynamoDB | Database
You can enable encryption at rest for your new DynamoDB tables using the console, AWS CLI, or API. At present, you cannot enable encryption at rest for an existing DynamoDB table.
Are my Global Secondary Indexes (GSI) and Local Secondary Indexes (LSI) encrypted in encryption at rest?
Encryption at rest
Amazon DynamoDB | Database
Yes, Global Secondary Indexes (GSI) and Local Secondary Indexes (LSI) associated with an encrypted table are encrypted by default using the same key that is used to encrypt the table.
What are the additional costs for using DynamoDB encryption at rest?
Encryption at rest
Amazon DynamoDB | Database
There are no additional DynamoDB costs for using DynamoDB encryption at rest. However, KMS charges will apply for using a service default key. These charges can be seen on the AWS KMS pricing page.
Can I encrypt DynamoDB Streams?
Encryption at rest
Amazon DynamoDB | Database
Currently, you cannot enable encryption at rest for DynamoDB Streams. If encryption at rest is a compliance/regulatory requirement, we recommend turning off DynamoDB Streams for encrypted tables.
Are DynamoDB On-Demand Backups encrypted as well?
Encryption at rest
Amazon DynamoDB | Database
Yes, On-Demand Backups of encrypted DynamoDB tables are encrypted (using S3’s Server-Side Encryption). At present, these backups are partially encrypted using your service default keys and service managed keys. We are working towards encrypting all data related to On-Demand Backups using only customer owned KMS keys.
How does encryption at rest encrypt my data?
Encryption at rest
Amazon DynamoDB | Database
DynamoDB uses envelope encryption to encrypt your data in which it uses a hierarchy of encryption keys to encrypt the database. You use AWS KMS to manage the top-level encryption keys in this hierarchy. Once your data is encrypted, Amazon DynamoDB handles decryption of your data transparently with a minimal impact on performance. You don’t need to modify your database client applications to use encryption.
How do I manage my keys used for encryption at rest?
Encryption at rest
Amazon DynamoDB | Database
DynamoDB is integrated with AWS KMS for ease of managing the key(s) used to encrypt your tables. DynamoDB encryption at rest uses service default keys (specific to DynamoDB) stored in your KMS account. If a service default key does not exist when creating your encrypted DynamoDB table, KMS will automatically create a new key for you that will be used with encrypted tables created in the future. For more information, see the AWS Key Management Service Developer Guide.
Which encryption keys can I choose to encrypt my DynamoDB table?
Encryption at rest
Amazon DynamoDB | Database
Currently, you can only use the service default key used for your DynamoDB tables. If this key doesn’t exist, it will be created.
What is the role of my service default key in AWS Key Management Service (KMS) in encryption at rest?
Encryption at rest
Amazon DynamoDB | Database
DynamoDB cannot read your table data without access to your KMS service default key. DynamoDB uses envelope encryption and key hierarchy to encrypt data. Your KMS encryption key is used to encrypt the root key of this key hierarchy. For more information, see How Envelope Encryption Works with Supported AWS Service.
Can I use different service default keys for different tables?
Encryption at rest
Amazon DynamoDB | Database
No, DynamoDB uses a single service default key for encrypting all of your DynamoDB tables.
Can I encrypt only a subset of items in a table?
Encryption at rest
Amazon DynamoDB | Database
No. Encryption at Rest works at a table level granularity.
How can I check if encryption at rest is enabled on my table?
Encryption at rest
Amazon DynamoDB | Database
From the console, you can get the status of encryption from the “Table details” section of the “Overview” tab. You can also use DescribeTable command to get the status of encryption on the table.
